Who watches Sony's watcher? Boffins poke holes in surveillance kit

Command injection and stack buffer overflow flaws bedevil cam range

Security researchers at Cisco Talos have found two serious flaws with Sony's network-facing surveillance kit, the IPELA E Series Network Camera.

A command injection vulnerability in the measurementBitrateExec functionality could be abused to cause arbitrary commands to be executed in response to a maliciously contracted HTTP request.

And an exploitable stack buffer overflow flaw in the "802dot1xclientcert.cgi" functionality of the camera range is worse since it directly opens up the door to remote code execution on vulnerable devices.

"A specially crafted POST request can cause a stack buffer overflow, resulting in remote code execution," Cisco Talos reported. "An attacker can send a malicious POST request to trigger this vulnerability."

The vulnerabilities discovered by Cory Duplantis and Claudio Bozzatoare detailed in a blog post here.

El Reg invited Sony to comment on the findings. We'll update this story as and when we hear more. ®




Biting the hand that feeds IT © 1998–2018